PatchSiren cyber security CVE debrief
CVE-2024-44944 Siemens CVE debrief
CVE-2024-44944 is a Linux kernel vulnerability in the netfilter ctnetlink subsystem where the delete expectation path fails to use the nf_expect_get_id() helper function when calculating expectation IDs. This omission results in the leakage of the least significant bit (LSB) of the expectation object address to userspace, constituting an information disclosure weakness. The vulnerability has been resolved in the Linux kernel. Siemens has assessed this CVE as applicable to certain industrial networking products including the RUGGEDCOM RST2428P and SCALANCE families, though the specific impact rating for these products is noted as 'Misinformed' in the source advisory. The CVSS v3.1 base score of 5.5 (MEDIUM) reflects the information disclosure impact with local attack vector and low attack complexity. Organizations should apply kernel updates from their Linux distribution or Siemens product updates as they become available.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Linux system administrators, industrial control system operators using Siemens RUGGEDCOM RST2428P or SCALANCE networking equipment, security teams responsible for kernel security updates, and organizations running netfilter-based firewall or NAT infrastructure on Linux systems.
Technical summary
The vulnerability exists in the Linux kernel's netfilter connection tracking netlink (ctnetlink) interface. When deleting connection tracking expectations, the code path fails to invoke nf_expect_get_id() to properly calculate the expectation ID. Instead, the raw pointer address or an improperly derived value is exposed, leaking the least significant bit of the kernel heap address to userspace. This information disclosure weakness could assist attackers in bypassing kernel address space layout randomization (KASLR) protections. The fix ensures consistent use of the nf_expect_get_id() helper across all expectation ID calculation paths.
Defensive priority
medium
Recommended defensive actions
- Apply Linux kernel updates from your distribution vendor that include the fix for netfilter ctnetlink expectation ID calculation
- Monitor Siemens ProductCERT advisory SSA-355557 for product-specific patches for affected RUGGEDCOM and SCALANCE devices
- Review and update network segmentation controls for industrial control systems running affected Siemens products
- Implement defense-in-depth strategies per CISA ICS recommended practices for industrial control environments
- Verify kernel version on Linux-based systems and ensure nf_expect_get_id() helper is present in netfilter ctnetlink code path
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The threat category in the source data indicates 'Misinformed' impact for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The CVE was published on 2025-08-12 and last modified on 2026-02-25 per CISA republication.
Official resources
-
CVE-2024-44944 CVE record
CVE.org
-
CVE-2024-44944 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12